Re: [Detnet] Secdir telechat review of draft-ietf-detnet-mpls-11
Balázs Varga A <balazs.a.varga@ericsson.com> Fri, 04 September 2020 13:26 UTC
Return-Path: <balazs.a.varga@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1F03A080F; Fri, 4 Sep 2020 06:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HFMM6c_hAUzI; Fri, 4 Sep 2020 06:26:04 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70079.outbound.protection.outlook.com [40.107.7.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53C253A0100; Fri, 4 Sep 2020 06:26:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IQCTOi9mEZ44YA3GCAUOjAyqakReRlVvDr0BJ9nhrJbfUVz47b7tO/49JpigjyW62Rj/JRVMyqOU/28VxbF6SIzkSednTC9rjtH1onNsIkEbPxw2lZ5Uv3Szp0o+eMNx3OM1I+ytVVXG7W9rn4mpJnoUh8ae6iy0biLxHr7bp4T8Si3lNYSy/8kLKpFn0PF4mRLe+RWUIpjq6ammZY98d40dXUaMoVduEswED4qzB5eLQW3qdAI77kVyyIjHW0HXWIbrrFNjwvoMf26/mRQ1bvfWw5T18VYCLHFDGSC3XsrnFEB+wteqTd5QhKKYwcFTcznO7s0T58zPrEojxwU0uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=miaaLWybYLgZ/N2RtctbnkZ28kMehD6utcSYNjFelXs=; b=fM6em+OVbkNexwTX87iJJ21/kka5UQcXa0Qw5+II3Nso+ny5q7zBCZT1Llst4CRjCSV2xxAALnF94LysomNcbtesYT2nln1XnQV141SSe6oL8PJCj8Q0nByfdaMaRZFCcUISNOixTuvoKjk9GocKJrD6BXwHNJ3Vt8gtsknX1HR4XUL2yKTN6b98C6jNcVwB791CHY6cPs3ycA4Bk0emNBf2Gb9rkC0O/aU2eYUEj6ZmeYaFE0fyDtA4NJ7vadRna6k6PSvDFWW/JcO4B//JgK6r21SjAFReZCCJ4kd9NfUmjEtAV7q05XucJZqYZadG9KCwnmoxKG9QIU4KODIqAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=miaaLWybYLgZ/N2RtctbnkZ28kMehD6utcSYNjFelXs=; b=lGuGVW28X1b7neZ8hEKFoeVH7QFqQ7gBzUCVstBFgIhja4S/YRfLtIOrOA9z8/yxIZCh68NvZ9UHBaSRf05oGcOjhUYJNWhe2p856WjUQGr9KPNYkLqUpcDDXPnYUjBBAd7V2CwtzFzLR6/YkLRZacoaQ4+0t9a5wWQQYSNLIYI=
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com (2603:10a6:208:22::25) by AM0PR07MB6419.eurprd07.prod.outlook.com (2603:10a6:20b:144::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.7; Fri, 4 Sep 2020 13:25:58 +0000
Received: from AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9]) by AM0PR0702MB3603.eurprd07.prod.outlook.com ([fe80::59ca:540d:b7f3:58b9%6]) with mapi id 15.20.3370.009; Fri, 4 Sep 2020 13:25:57 +0000
From: Balázs Varga A <balazs.a.varga@ericsson.com>
To: Watson Ladd <watsonbladd@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-detnet-mpls.all@ietf.org" <draft-ietf-detnet-mpls.all@ietf.org>, "detnet@ietf.org" <detnet@ietf.org>
Thread-Topic: Secdir telechat review of draft-ietf-detnet-mpls-11
Thread-Index: AQHWflA0s8APESY0XUuIlxpo+lji2qlYfMlg
Date: Fri, 04 Sep 2020 13:25:57 +0000
Message-ID: <AM0PR0702MB3603A980E004DA818B2CDED3AC2D0@AM0PR0702MB3603.eurprd07.prod.outlook.com>
References: <159873859265.10254.15047947315298424271@ietfa.amsl.com>
In-Reply-To: <159873859265.10254.15047947315298424271@ietfa.amsl.com>
Accept-Language: hu-HU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [193.226.240.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 755d7bbe-2714-4360-053f-08d850d60f1f
x-ms-traffictypediagnostic: AM0PR07MB6419:
x-microsoft-antispam-prvs: <AM0PR07MB64190D35372D4FB3F65827A1AC2D0@AM0PR07MB6419.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1dKP2R5WaNS2Gz90jikvj68NwqhCOMBYY6vNYSR/cj3xnRqIMGs9Vgln04hSbGsyzDjt8T4NSKFDdlT7/WOE9ks2VQbkmUnIglYtur5viaaM84adaYDqpp3NyQOciv1NB4XaCvq7C3AGyguHPkl/0imiyJw071oHcrPCjMPeZ1DP2+JJfa9rnCtBqo7fvST0wRS5cuU+Iio9JDA7cQJI+NUNQDdFvczTkb0NHNToMstUoJaVYyk5xkXbat6Y+aPimwwkI7iWKPNyLj4PR4k5E3OTm6oXHd3Gut3N6MNnm7OpAONxI9cefVYSeFEc8J10G+Ufi8my31zAs7nBWqFyDQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0702MB3603.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(366004)(396003)(39860400002)(8676002)(8936002)(5660300002)(2906002)(66946007)(33656002)(52536014)(478600001)(26005)(71200400001)(66556008)(66476007)(64756008)(76116006)(66446008)(86362001)(110136005)(6506007)(316002)(7696005)(186003)(53546011)(54906003)(9686003)(85202003)(55016002)(4326008)(83380400001)(85182001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: IgUfWFVNRvmVAvAURKiot0+eHmA3Y3JTCRAdmNTzOxdK02h39Q8+oyD/iZ4XPYzE+puyEens6cv3dDs3BTDexUhviZOOtHG+0z6IAHeeZNJSTbCfsoYeamYfc+XsY6SrV9qK7ndLggSC1xFkoxAbQQxiiKT+vSxINtoFeidarsAtE1C/iTZUbR7unLV5KKthQgz7RNBjaDv+LBBV9/Vvnj1+k+oAMGkKl51GRY+vbg3OXDrpHtSXMUhp3uF/fwIYUkZDZn+ff0vCI/IJ0XW5fyN26uJDsyee0LA/xDx4XBgFQUM06ntHj0Y3kyXFAekRSy7cBW8YBfajqCxyae6IG9KtQ+7WZBhtgp5Pn3pvASBksLaKjDNjPgAnXJQTIyJlPY/coto1F9LS2MgjSCFHn/kBYDhCCjyf629yBIT2ycesrIaxG+lZPWcfj8g7ZsvbYCkCD94lc9X4+GLDKVGXHLZFCkzbMImfkB3G18Xh2THoGxUeYyZQaLs4nEWYhkYFrx1bnfv2tDqgH162WAUmAw5eO8hQ9L6+q7r/4SchyvvOBCC4t1D++FNs9mcSK42+B597QXbUuVqEG0toyEEl9Ul6tuEtYCRXDC1YYKKpOLJ7kYH3eCNFTZMJFcnFcF3hPNYxuzYmjl+xQ3R4oPboyQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0702MB3603.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 755d7bbe-2714-4360-053f-08d850d60f1f
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2020 13:25:57.8580 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: do7nyyL8MLhs+7Vh90FtEqX3vKb96jPFPrDGEbvy3XHISlzNIlla0U0vUG7WQ8Hls+LaPSUlLM98K36kBIOUssBdNqMyx+pOladXnBXhN0o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6419
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/UsjjSk7C9_Md-ZG78gOJIM7ygoE>
Subject: Re: [Detnet] Secdir telechat review of draft-ietf-detnet-mpls-11
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 13:26:07 -0000
Hi Watson, Many thanks for the review and the comments. Right, a compromised node can make trouble not only for DetNet flows but any other MPLS traffic as well. In the draft we intend to include "exclusively security considerations which are specific to the DetNet MPLS data plane". So, we have referred to RFC5920 (Security Framework for MPLS and GMPLS Networks) in section "10. Security Considerations" and not included general MPLS security concerns and their mitigation. I hope these clarifies your comments. Thanks & Cheers Bala'zs -----Original Message----- From: Watson Ladd via Datatracker <noreply@ietf.org> Sent: Sunday, August 30, 2020 12:03 AM To: secdir@ietf.org Cc: last-call@ietf.org; draft-ietf-detnet-mpls.all@ietf.org; detnet@ietf.org Subject: Secdir telechat review of draft-ietf-detnet-mpls-11 Reviewer: Watson Ladd Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is has nits. First the good parts: this document has a very well-thought Security Considerations section that describes the threats unique to this setting and makes a reference to an upcoming architecture draft. However, I found analysis of how the protocol should be deployed or configured or is designed to address those threats to be lacking in a few places. The discussion of DOS attacks is good: it says to avoid impacts on the DetNet services traffic must be policed or dropped at the edge. I would like to see a similar statement made about the consequences and mitigations for interior network corruption. It reads almost like a sentence or two was inadvertently deleted. However, if I understand the MPLS architecture correctly a compromised node can inject a label stack that results in interference with the DetNet flows, and this is quite difficult to avoid in the general case. I'm not knowledgeable in this area by any means. Perhaps it's necessary to say that all the MPLS nodes are assumed to be trusted and otherwise the DetNet services cannot be provided. I think this can be addressed pretty quickly. Sincerely, Watson Ladd
- [Detnet] Secdir telechat review of draft-ietf-det… Watson Ladd via Datatracker
- Re: [Detnet] Secdir telechat review of draft-ietf… Balázs Varga A